Korn Ferry takes your privacy and security seriously. Our Global Privacy Policy has changed; please view it here. Korn Ferry uses cookies to provide you with the best experience with the site. By closing this banner, scrolling this page, clicking a link or continuing to browse, you agree to the use of cookies. See our Cookie Policy to learn more.

General Data Protection Regulation (GDPR) Guide

On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect. The GDPR is a significant change for global data privacy law and ushers in complex rules for organizations dealing with personal data from EU residents.

Korn Ferry respects your privacy and values the trust that you place in us. We have put together this GDPR Guide to help you understand the basics of the new Regulation and what we are doing to comply. We will update the content on this site as we make changes to how we operate.

● What is the GDPR?The GDPR is a new, comprehensive data protection regulation in the EU. It updates, strengthens, unifies, and clarifies existing EU data protection law. It gives EU residents greater rights with regard to their personal data and requires the implementation of enhanced policies and procedures.

● To whom does the GDPR apply?The GDPR applies to any organization that “processes” personal data about an EU resident (referred to in the law as a “data subject).” The collection, use, disclosure, or disposal of data, are “processing” activities under the GDPR. The definition of “personal data” under the GDPR is very broad, covering any information regarding an identified or identifiable data subject residing in the EU.

● What does the GDPR require?The GDPR establishes a variety of new requirements for the processing of data subjects’ personal data. These responsibilities vary depending on whether an organization is operating as a “data controller” or “data processor”. Under the GDPR, a “data controller” determines how personal data will be processed. A “data processor” carries out processing activities on behalf of the data controller. Depending upon the engagement at hand, we may act as either a data processor or a data controller. For example, we act as a data controller when individuals engage Korn Ferry directly and provide us with their personal data. We may act as a data processor where organizations engage Korn Ferry to provide services to their employees or otherwise on their behalf. Below are some of the most important ways that the GDPR updates current EU data privacy law:

Privacy by design. When creating systems or products for processing data subjects’ personal data, organizations must consider the privacy implications to individuals.

Enhanced policies and procedures. Both data controllers and data processors are obligated to keep records of their processing activities. Additionally, data controllers should ensure that appropriate policies for the internal handling and external transfer of data are in place to adequately protect the data.

Third-party management. Data controllers may only use data processors that ensure the adequate protection of personal data. These requirements must be backed-up by contractual agreements between data controllers and data processors, setting forth the necessary obligations.

Data breach notification. Data controllers must notify regulators within 72 hours of discovering a data breach if the breach presents a risk to the rights and freedoms of affected data subjects. If the breach presents a high risk, data controllers must notify data subjects without undue delay. Data processors are obligated to notify the data controller of data breaches without undue delay.

Transparency. Data controllers are required provide clear and transparent notice to individuals regarding the data collected, the processing and use of the data, as well as data retention and deletion policies.

● What rights do data subjects have under the GDPR?

Under the GDPR, data subjects, with some exceptions, have the right to:

Access their personal data

Correct errors in their personal data

Request the erasure of their personal data

Object to the processing of their personal data

Receive an export of their personal data

Data controllers must have a procedure in place to deal with data subject requests and respond to requests within 30 days.

Note: This overview is provided “as-is” and may change without notice. It is intended for informational purposes only and should not be relied upon as legal advice.